**Abstract**

We propose introducing a new way to calculate a block’s generation signature using VRF – Verified Random Functions.

**Motivation and Purposes**

We want to improve our PoS algorithm so that it can successfully resist “stake grinding” attacks that exploit the possibility of influencing the block generation randomness. A possible way to use a “stake grinding” attack in our current PoS system is as follows: a pseudo-randomness that is used for choosing the next block’s generator depends on the generator of the previous block and is determined for each possible generator. The generator can manipulate randomness by skipping their opportunity to create a block. This can be done in order to get the best next combination of block generators or generation blocks. An attacker can also reallocate their funds between accounts for the same reason.

In Waves, a block’s generation signature is calculated deterministically: *generationSignature(n)* can be obtained by *Blake2b256* hashing of the *n*-th block’s generation signature *generationSignature(n-1)* and the public key *pk(n)* of the new block’s generator:

*generationSignature(n) = Blake2b256(generationSignature(n-1) + pk(n))*

The generation signature from *(n-100)*-th block affects how soon the *(n+1)*-th block’s generator (current miner) will be able to generate a block after *n*-th block. As a source of randomness, *generationSignature(n-100)* is concatenated with a possible miner’s public key and then *Blacke2b256* hashed. The ﬁrst 8 bytes of the resulting 32 bytes hash are converted to a number, which is called the account *hit*:

*hit(n) = X(n) = <the first 8 bytes of> Blake2b256(generationSignature(n-100) + pk(n))*,

where *pk(n)* is the public key of the (*n* + 1)-th block generator.

The *hit* value is used as a source of pseudo-randomness though in fact it is predictable, because the generation signature and public keys of all possible generators are publicly known.

For hit calculation, *height = (n-100)* is used due to the ability of multi-branching attacks: an attacker controls stake distributed over *N* forging accounts. Every time an honest miner forges a new block based on the current best block (parent-block), the attacker generates N hidden chains based on the same parent block. Their goal is to make alternative forks win over the main one by overtaking it. In order to reduce the effectiveness of multi-branching attack we use a pseudo-random variable from block *(n - 100)*, but not from *n*-th block. This will eliminate the combinatorial effect. All the miner’s blocks at the same height have the same delay no matter how many chains they try to extend. Also, the probability of overtaking the main chain by a fork decreases with the increasing height of the main chain, since the attacker has a smaller balance.

Currently, the time for a miner to generate a block depends on the values from the header of the block that was 100 blocks ago (pseudo-random variable generation signature) and the previous block (base target and timestamp), and the generating balance of the current miner. More specifically, the time delay (the time to wait before this miner can generate a new block after the *n*-th block) is calculated by the following formula:

*T(i,n) = Tmin + C1 log(1 – C2 log(X(i,n) / Xmax) / (b(i,n) · Λ(n)))*,

where

*T(i,n)* is the time delay that the *i*-th account’s has to wait after the n-th block is generated, before she is able to generate the (*n* + 1)-th block,

*Tmin* = 5000 ms,

*C1*, *C2*, are constants,

*X(i,n)* is the hit of the *n*-th block for the *i*-th account,

*Xmax* = 2^64 - 1 is the maximum signature with the length of the hit (8 bytes),

*b(i,n)* is the generation (forging) power of the *i*-th account (generation balance) in the *n*-th block,

*Λ(n)* is the base target value of the n-th block.

More details with the explanation of our PoS formula can be found in the article Fair PoS.

**Rationale**

To avoid stake-grinding attacks we want to improve our generation signature calculation formula. For this purpose, we want to implement VRF - a pseudo-random function that uses a message and the private key of an account to provide a non-interactively verifiable proof for the correctness of its output. The use of VRF makes hit generation unpredictable because of the need to know the private key for calculation. Only the holder of the private key can compute the hit, but anyone with the public key can verify the correctness of it.

**Specification**

We chose to implement ECVRF, which is currently undergoing standardization, by Sharon Goldberg, Moni Naor, Dimitris Papadopoulos, Leonid Reyzin, and Jan Včelák [draft-irtf-cfrg-vrf-05].

The VRF implementation contains *signVRF* function, which calculates *proof* for some *message* with the *private key* of the signer:

*VRFProof = signVRF(message, private key)*,

and *verifyVRF* function, which verifies proof from *signVRF* function with a *message* and the *public key* of the signer and returns deterministic *VRF* value:

*VRF = verifyVRF(proof, message, public key)*.

Thus, now we consider that a block’s generation signature is equal to signVRF output (a VRF proof, that takes 96 bytes) for a VRF 100 blocks before, with account private key *sk(n)* (of the generator of the *n*-th block):

*generationSignature(n) = signVRF(VRF(n-100), sk(n)).*

For the calculation of a time delay between *n*-th and (*n* + 1)-th blocks for concrete block generator, the *hit* is calculated with the use of *verifyVRF* function as follows:

*VRF(n) = verifyVRF(generationSignature(n), VRF(n-100), pk(n))*.

*hit(n) = <the first 8 bytes of> VRF(n)*,

where *sk(n)* and *pk(n)* are the *n*-th block generator’s private and public keys, respectively.

The output of signVRF function is a VRF proof, which means that the validity of the hit calculation can be checked via verifyVRF function. At the same time, its calculation requires the generator’s private key, so hitn cannot be predicted before generationSignaturen is published.

**Backward Compatibility**

As with the implementation of any other features, there will be a certain activation parameter for the VRF feature for voting by miners. Accordingly, the transition to the new scheme will be implemented via activation height.

The generation signature is calculated using the following algorithm:

*generationSignature(n)=Blake2b256(generationSignature(n-1), pk(n))*,

where *pk(n)* is the public key of *n*-th block’s generator.

Starting from activation height, the generation signature will be calculated as follows:

*generationSignature(n) = signVRF(VRF(n-100), sk(n))*,

where *s(k)* is the *n*-th block’s generator’s private key and the signature (VRF proof) takes 96 bytes.

Before the activation height, the time delay (the time to wait until the n-th block can be generated by a concrete miner) depends on the hit, which is calculated as

*hit(n) = <the first 8 bytes of> SHA256(generationSignature(n-100) + pk(n))*.

After activation height, the output of functions signVRF and verifyVRF will be used for defining the hit (the signVRF output takes 96 bytes, and the verifyVRF output takes 32 bytes):

*VRF(n) = verifyVRF(generationSignature(n), VRF(n-100), pk(n))*,

*hit(n) = <the first 8 bytes of> VRF(n)*,

where *sk(n)* and *pk(n)* are the *n*-th block generator’s private and public keys, respectively.

If VRF proof verification fails, the program will throw an exception.

After activation height, the generation signature and hit will be calculated using the same pair of keys (public + private) as before.

**Examples and Implementation**

We have a java implementation of C-library from signal. Our implementation can be found here.